Documentation
¶
Overview ¶
Package crypto provides authentication and authorization capability
Index ¶
- Constants
- Variables
- func VerifyAccess(rules []*Rule, acc *Account, res *Resource) error
- type Access
- type Account
- type Auth
- type GenerateOption
- func WithIssuer(i string) GenerateOption
- func WithMetadata(md map[string]string) GenerateOption
- func WithName(n string) GenerateOption
- func WithProvider(p string) GenerateOption
- func WithScopes(s ...string) GenerateOption
- func WithSecret(s string) GenerateOption
- func WithType(t string) GenerateOption
- type GenerateOptions
- type Option
- type Options
- type Resource
- type Rule
- type Rules
- type RulesOption
- type RulesOptions
- type Token
- type TokenOption
- type TokenOptions
- type VerifyOption
- type VerifyOptions
Constants ¶
View Source
const ( // ScopePublic is the scope applied to a rule to allow access to the public // 当给rule的scope赋予这个值的时候,表示暴露给外部访问 ScopePublic = "" // 当给rule的scope赋予这个值的时候,表示只限特定账号来访问 // ScopeAccount is the scope applied to a rule to limit to users with any valid account ScopeAccount = "*" )
Variables ¶
View Source
var ( // ErrInvalidToken is when the token provided is not valid ErrInvalidToken = errors.New("invalid token provided") // ErrForbidden is when a user does not have the necessary scope to access a resource ErrForbidden = errors.New("resource forbidden") )
Functions ¶
func VerifyAccess ¶
VerifyAccess an account has access to a resource using the rules provided. If the account does not have access an error will be returned. If there are no rules provided which match the resource, an error will be returned VerifyAccess: 使用所提供的rules来验证一个账号是否可以访问该资源。 如果该账号无法访问,就会返回一个错误 如果没有和该资源匹配的rules,就会返回一个错误
Types ¶
type Account ¶
type Account struct {
// ID of the account e.g. UUID. Should not change
ID string `json:"id"`
// Type of the account, e.g. service
Type string `json:"type"`
// Issuer of the account
Issuer string `json:"issuer"`
// Any other associated metadata
Metadata map[string]string `json:"metadata"`
// Scopes the account has access to
Scopes []string `json:"scopes"`
// Secret for the account, e.g. the password
Secret string `json:"secret"`
// Name of the account. User friendly name that might change e.g. a username or email
Name string `json:"name"`
}
Account provided by an auth provider
type Auth ¶
type Auth interface {
// Init the auth
Init(opts ...Option)
// Options set for auth
Options() Options
// Generate a new account
Generate(id string, opts ...GenerateOption) (*Account, error)
// Inspect a token
// 检查令牌
Inspect(token string) (*Account, error)
// Token generated using refresh token or credentials
Token(opts ...TokenOption) (*Token, error)
// String returns the name of the implementation
String() string
}
Auth provides authentication
type GenerateOption ¶
type GenerateOption func(o *GenerateOptions)
func WithMetadata ¶
func WithMetadata(md map[string]string) GenerateOption
WithMetadata for the generated account
func WithProvider ¶
func WithProvider(p string) GenerateOption
WithProvider for the generated account
type GenerateOptions ¶
type GenerateOptions struct {
// Metadata associated with the account
// 与该账号关联的元数据
Metadata map[string]string
// Scopes the account has access too
// 这个账号可以访问的范围
Scopes []string
// 账号的提供方(比如, oauth)
// Provider of the account, e.g. oauth
Provider string
// Type of the account, e.g. user
Type string
// Secret used to authenticate the account
Secret string
// 该账号的发行人
// Issuer of the account, e.g. micro
Issuer string
// Name of the acouunt e.g. an email or username
Name string
}
func NewGenerateOptions ¶
func NewGenerateOptions(opts ...GenerateOption) GenerateOptions
NewGenerateOptions from a slice of options
type Option ¶
type Option func(o *Options)
func ClientToken ¶
ClientToken sets the auth token to use when making requests
type Options ¶
type Options struct {
// Issuer of the service's account
// 该服务账号的发行者
Issuer string
// ID is the services auth ID
ID string
// 相当于秘钥
// Secret is used to authenticate the service
Secret string
// 相当于微服务的身份证
// Token is the services token used to authenticate itself
Token *Token
// PublicKey for decoding JWTs
// JWT编码的时候用到的公钥
PublicKey string
// JWT解码的时候用到的私钥
// PrivateKey for encoding JWTs
PrivateKey string
// LoginURL is the relative url path where a user can login
LoginURL string
// Addrs sets the addresses of auth
// 对源IP作出限制,比如工业云文件上传的时候的源IP限制
Addrs []string
// Context to db.other options
Context context.Context
}
type Resource ¶
type Resource struct {
// Name of the resource, e.g. go.micro.service.notes
Name string `json:"name"`
// Type of resource, e.g. service
Type string `json:"type"`
// Endpoint resource e.g NotesApp.Create
Endpoint string `json:"endpoint"`
}
Resource is an entity such as a user or
type Rule ¶
type Rule struct {
// ID of the rule, e.g. "public"
ID string
// Scope the rule requires, a blank scope indicates open to the public and * indicates the rule
// applies to any valid account
Scope string
// Resource the rule applies to
Resource *Resource
// Access determines if the rule grants or denies access to the resource
Access Access
// Priority the rule should take when verifying a request, the higher the value the sooner the
// rule will be applied
Priority int32
}
Rule is used to verify access to a resource
type Rules ¶
type Rules interface {
// Grant access to a resource
Grant(rule *Rule) error
// Revoke access to a resource
Revoke(rule *Rule) error
// List returns all the rules used to verify requests
List(...RulesOption) ([]*Rule, error)
// Verify an account has access to a resource using the rules
Verify(acc *Account, res *Resource, opts ...VerifyOption) error
}
Rules is an interface for authorization
type RulesOption ¶
type RulesOption func(o *RulesOptions)
func RulesContext ¶
func RulesContext(ctx context.Context) RulesOption
func RulesNamespace ¶
func RulesNamespace(ns string) RulesOption
type RulesOptions ¶
type Token ¶
type Token struct {
// The token to be used for accessing resources
AccessToken string `json:"access_token"`
// RefreshToken to be used to generate a new token
RefreshToken string `json:"refresh_token"`
// Time of token creation
Created time.Time `json:"created"`
// Time of token expiry
Expiry time.Time `json:"expiry"`
}
Token can be short or long lived
type TokenOption ¶
type TokenOption func(o *TokenOptions)
func WithCredentials ¶
func WithCredentials(id, secret string) TokenOption
func WithToken ¶
func WithToken(rt string) TokenOption
func WithTokenIssuer ¶
func WithTokenIssuer(iss string) TokenOption
type TokenOptions ¶
type TokenOptions struct {
// ID for the account
ID string
// Secret for the account
Secret string
// RefreshToken is used to refesh a token
RefreshToken string
// Expiry is the time the token should live for
Expiry time.Duration
// Issuer of the account
Issuer string
}
func NewTokenOptions ¶
func NewTokenOptions(opts ...TokenOption) TokenOptions
NewTokenOptions from a slice of options
type VerifyOption ¶
type VerifyOption func(o *VerifyOptions)
func VerifyContext ¶
func VerifyContext(ctx context.Context) VerifyOption
func VerifyNamespace ¶
func VerifyNamespace(ns string) VerifyOption
type VerifyOptions ¶
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.